You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Chris Custine (JIRA)" <ji...@apache.org> on 2007/07/24 22:01:05 UTC

[jira] Closed: (DIRSERVER-1007) SimpleAuthenticator rejects cached one-way encrypted passwords

     [ https://issues.apache.org/jira/browse/DIRSERVER-1007?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Chris Custine closed DIRSERVER-1007.
------------------------------------

       Resolution: Duplicate
    Fix Version/s: 1.5.1

This duplicates DIRSERVER-901 and has been fixed for 1.5.1.

> SimpleAuthenticator rejects cached one-way encrypted passwords
> --------------------------------------------------------------
>
>                 Key: DIRSERVER-1007
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1007
>             Project: Directory ApacheDS
>          Issue Type: Bug
>    Affects Versions: 1.5.0
>            Reporter: Jonah Beckford
>            Priority: Minor
>             Fix For: 1.5.1
>
>
> Conditions
> - userPassword is stored as {SHA} (or some other one-way encryption) in the DIT
> - authentication request has password credentials sent in plain text
> Behavior
> - The first authentication request is successful.
> - All subsequent requests fail
> Cause
> - The one-way encrypted password is stored in the credentialCache after the first request, and subsequent (plain text) requests don't match what is stored in the credentialCache
> Fix
> - Do the same match checking on each request, regardless whether in cache or not in cache
> - Change SimpleAuthenticator::authenticate from:
>         if ( principal != null )
>         {
>             // Found ! Are the password equals ?
>             credentialsMatch = Arrays.equals( credentials, principal.getUserPassword() );
>         }
>         else
>         {
>             // Not found :(...
>             // Get the user password from the backend
>             byte[] userPassword = lookupUserPassword( principalDn );
>             
>             ... BLOCK # 1 ...
>         }
> to:
>         // Get the user password (from the backend if not in the cache)
>         byte[] userPassword = null;
>         if (principal == null)
>              userPassword = lookupUserPassword(principalDn);
>         else
>              userPassword = principal.getUserPassword();
>         ... BLOCK # 1 ...

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.